pio3 - Fotolia

Comment sought on Oracle agreement spurred by FTC complaint

Users have until January 20 to send comments to the FTC about a proposed settlement with Oracle regarding security risks posed by old versions of Java SE left behind after an update.

The public has until Jan. 20, 2016, to comment on a proposed settlement between the Federal Trade Commission and Oracle regarding alleged deceptive acts related to Java Platform Standard Edition.

The Federal Trade Commission (FTC) complaint against Oracle claims the company deceived its Java Platform Standard Edition (Java SE) customers when it promised them that installing updates to Java SE would keep the platform -- and the user's system -- secure. That assurance was misplaced, according to the FTC complaint.

Interested parties can send in comments electronically about the proposed settlement. According to the FTC, Oracle has agreed to the proposal. Oracle has declined to comment. As part of the agreement, Oracle admits no wrongdoing and will not have to pay a fine.

Agreement targets 850 million users

The proposed agreement would require Oracle to provide 850 million users with the ability to uninstall older versions of Java SE as well as provide more notification to its Java SE users. The company must notify users during the update process of any old copies of Java SE still in the system, explaining the risk posed by the older versions and informing users on how to get rid of the earlier versions of the software.

Interested parties can send in comments electronically about the proposed settlement.

Additionally, the proposed agreement extends beyond Java SE to "any other software offered by Oracle directly to consumers to run programs on their computers or applications within a browser. [It] does not include software offered exclusively for developers or enterprises." In other words, the agreement will cover everything run on personal computers but not software for developers or enterprise use.

The update process in question allegedly didn't remove versions of Java SE prior to version 6 update 10. Earlier versions of Java SE contain significant security holes that left the system open to malware and phishing. Oracle didn't inform its users that updating Java SE would not remove earlier versions that may be security risks, the FTC complaint said.

Further, Oracle has been aware of the security problems in early versions of Java SE since 2010, when it bought Java, according to the complaint. The FTC also alleged that Oracle has been aware of the inadequacy of its update process since 2011. For failing to disclose this information to its users, the FTC said Oracle had violated Section 5 of the Federal Trade Commission Act, which covers "unfair or deceptive acts and practices."

Next Steps

Java SE updates were an important part of the April 2015 Oracle Critical Patch

The top seven Java platform take-home messages from JavaOne 2015

At JavaOne 2015, Oracle introduced Java Cloud SE Cloud service

Dig Deeper on Oracle Java and J2EE